Building a Culture of Security
We all hear about cyber security a LOT. It’s constantly in the news, one company after another becomes victim to an attack, recently some of the biggest names in business included — Under Armour’s MyFitnessPal app, Panera Bread, Boeing, the City of Atlanta. If these companies are susceptible, how are the rest of us supposed to ensure we are secure? To me, one of the big ways we can protect ourselves is to build a culture of security within our organizations.
What does this mean?
Building a culture of security starts with finding a way to communicate security and the existing threats between the IT and executive teams, and the rest of the employees. This can pose one of the biggest challenges. To many people, technology and cyber security is intimidating. People are afraid of and uncomfortable branching into things that are unknown or new to them.
One of the easiest ways to simplify that communication is to put yourself in your employees shoes and answer the following questions:
- How does cyber security affect me personally?
- How does cyber security affect my company?
If you can brainstorm around these two questions, you can start figuring out ways to communicate on the employees level.
Try some role plays or real life examples — who was impacted by the Target, or Home Depot, or Equifax breaches? How did this make you feel? How do you think our customers would feel if we, as an organization, had this happen? What are our company core values? Are trust, communication, or transparency (or any number of synonyms) part of our core values? How can we build our customers trust when they hand over their personal data to us?
Another method I have found very successful in creating a culture of security is consistency. In order to build a culture and build habits, security must not be just something we talk about once a year, or (even worse) only during new employee orientation. Security must stay front of mind. Can you send out a monthly quiz? Can you send our a recent article or blog post of either great security examples or terrible security examples to learn from? Can you send out videos or a challenge every month to all users? Ask you employees where they see opportunities for improvement. Your front line employees are the eyes and ears for your organization. These are the people interacting with the customers on a daily basis, and they often have great ideas that those above them aren’t able to see from their vantage point.
One of the ways that this can have the most relevant impact, is to (when appropriate) use examples that happen internally as learning opportunities. If someone accidentally sends out an unencrypted email, or falls for one of your phishing email tests, share this as a growth and learning opportunity for everyone. These instances can happen to any of us, and reminding the rest of the team how this happened and what they can do to prevent it in the future is going to make everyone more aware and keep security front of mind. Who knows, maybe your team will brainstorm around it can come up with better processes which can then improve the security stance of the organization.
Lead by Example
My final method to achieving a culture of security is that you must lead by example. Find a few allies within your organization who also see building a culture of security as a high priority. Ensure you have a united front from the leadership team. If they are all leading by example and following the policies the organization has put in place, it will make the overall company buy-in and culture of security even stronger. These policies could include ensuring users encrypt sensitive emails, and they are following the web content filtering policies (and not having executives asking for special exceptions so they can access their personal Gmail, for example, even though its been blocked for everyone else in order to protect your network from the potential of opening unmonitored emails). Yes, it is sometimes easy for an executive to plead their case to the IT team or demand access to some of these things because it may be a nuisance, but if the example of a security first mindset is exhibited by leadership, it is much more likely everyone else will adopt and follow.
Another layer to this, we’re all responsible to do our part. A security threat, many times, comes from someone making an innocent mistake, clicking on an email link or going to an infected website, or sending out an unencrypted email. By developing a ‘see something, say something’ type of mindset within your organization, it puts the responsibility on everyone to do their part. This also reinforces the consistency and the cultural idea that cyber security is of utmost importance. In some cases, I’ve seen organizations make it semi-fun and light to hold each other accountable, they’ll have the Security Officer or another IT Manager walk around and see whose computer is unlocked and play a trick on that user by changing their desktop background or that sort of thing as a gentle reminder.
Cyber security is a complex topic. If you can ultimately find a way to communicate with your employees in a language they really understand and can get behind, the easier it will be to develop this culture of security. If you can do that, you can significantly remediate some of your risks, and unlike some of the other cyber security remediations out there, when budgets are tight, this one does not require a large monetary investment.